HTTPS about homepage HOT 30 CLOSED

Set rubyonrails.org up with google webmaster tools, submitted the sitemap, and requested a re-indexing from google. Hopefully that clears things up in 24 hours or so.

from homepage.

Super cool, @connorshea! Thanks for sharing.

I see this as a nice-to-have at this point, outweighed by the value we got from consolidating our setup. Happy to wait weeks, months, to see if GitHub steps it up 😊

from homepage.

@twe4ked That's because the certificate is the one Github provided for rails.github.io which makes it invalid for rubyonrails.org the only solutions to that problem are the ones we've discussed earlier in the thread.

from homepage.

@eileencodes @dhh Someone should check the https://github.com/rails/homepage/settings since I noticed that GitHub has been trialing Let's Encrypt support for GitHub Pages sites.

I just turned it on for keepachangelog.com last night and it was a breeze:

It would be a really good thing if rubyonrails.org could be served through HTTPS.

from homepage.

@paulRbr

From the setting page: "Unavailable for your site because you have a custom domain configured (rubyonrails.org)"

But we are working on it.

from homepage.

https://rubyonrails.org/

from homepage.

👍

from homepage.

GitHub pages, that is what we use for publishing our website, doesn't support HTTPS. Without moving this site to a different infrastructure or putting a CDN in front of it would be impossible to implement HTTPS. You can find the same checksums in the rubygems page (which uses HTTPS) so you can double check if there was any modification in the content using it.

I'm not sure if it is worth to use HTTPS in the website and blog until we have support for that in GitHub pages.

from homepage.

Well, you can just toss Cloudflare in front of it, which is probably a good idea anyway.

from homepage.

Well, you can just toss Cloudflare in front of it, which is probably a good idea anyway.

Yes, that is exactly what I said with "putting a CDN in front of it". Having cloudflare still don't solve this issue because the connection between Cloudflare and GitHub pages will be unencrypted and an attacker would be able to modify the pages content there too

from homepage.

GitHub pages allows HTTPS like that: https://example.github.io.

Even though you've to trust Cloudflare in proxying between the two secure connections (user ↔ Cloudflare, Cloudflare ↔ GitHub), I believe it's still the better solution than no HTTPS. What is more trustful in your eyes? Cloudflare or any WLAN accesspoint or ISP your visitors are using?

Update:

Apprearently I was wrong about the HTTPS connection between Cloudflare and GitHub:

• https://konklone.com/post/github-pages-now-sorta-supports-https-so-use-it
• isaacs/github#156 (comment)

The connection between Cloudflare and GitHub is not being encrypted.

from homepage.

@rafaelfranca I still think it's valuable, as it prevents bad actors from snooping into user traffic.

The only way to have all the benefits of SSL is to host it on something besides Github pages, which I think might be a good idea anyway. I don't know much about hosting static sites, but, in all honesty, it doesn't sound too hard to just throw up an EC2 instance with NGINX and LetsEncrypt.

from homepage.

@AnthonySuper I know this issue is old but I'm putting my 2 cents in. But Github Pages is free and EC2 is not. Probably the only viable solution without a budget increase is Cloudflare but that'll mainly slow down GH Pages in my experience.

from homepage.

They could always mirror this repository onto GitLab and use GitLab Pages with Let's Encrypt.

from homepage.

We could host it ourselves again, but we moved to GH pages to get out of that business.

Odds are we can be patient a while and GitHub will support TLS sooner than later 😙

from homepage.

@jeremy That's prolly best course of action. I'm surprised they don't support it already.

from homepage.

@jeremy You can use https://gitlab.com w/ Pages for free: https://pages.gitlab.io/

GitLab Pages is just like GitHub Pages, but with TLS :) I can understand not wanting to move off GitHub, but you can mirror the homepage repo and have commits synced between the two every hour. You can also trigger a manual sync if you want to get a change out ASAP.

Worth considering, but again, I can definitely understand the convenience of GH Pages.

See also: https://about.gitlab.com/2016/04/11/tutorial-securing-your-gitlab-pages-with-tls-and-letsencrypt/

Disclosure: GitLab employee :P

from homepage.

The first result in Google is pointing to the HTTPS URL which currently has a certificate error:

from homepage.

from homepage.

@dhh It already is

from homepage.

from homepage.

Well best guess they're detecting that we have the certificate without seeing that it's invalid...

from homepage.

@dhh I beleive the Canonical tag was added after we found that google was picking https to index over http. If we (Rails) have google webmaster tools (or search console I think it's called now) we can force a re-crawl of the Rails site. If we don't we can add it easily enough and force a re-crawl.

from homepage.

from homepage.

How strange. Searching Google for "rails" gives me an http link which works, but "ruby on rails" gives an https link to the same page...

I would (like others) strongly encourage moving to https in any case. Even if there's not a compelling need, rails should be setting a good example in this regard - also, search engines and browsers are more and more favouring https.

from homepage.

From the setting page: "Unavailable for your site because you have a custom domain configured (rubyonrails.org)"

from homepage.

Maybe @eileencodes can put in a good word with the team at GitHub responsible for this because Keep a Changelog definitely has the same custom domain settings.

https://help.github.com/articles/securing-your-github-pages-site-with-https/ says:

HTTPS is not supported for GitHub Pages using custom domains.

But clearly it's not true in all cases anymore.

from homepage.

Apparently is not a 'production ready' feature, still on testing phase, and not officially supported:
https://gist.github.com/coolaj86/e07d42f5961c68fc1fc8#gistcomment-2370070

Hi ligi,
As you've discovered, some GitHub Pages sites have been issued SSL certificates from Let's Encrypt, enabling HTTPS for your custom domain. This isn't officially supported yet and it's not possible for you to enable and enforce it on your sites at this time.
We know how important secure browsing is for our users, but we don't have anything official to announce at this time. If and when this feature is officially released, we will announce it on our blog:
https://github.com/blog
Let us know if you have other questions!

Thanks,
Thomas
GitHub Support

from homepage.

https://blog.github.com/2018-05-01-github-pages-custom-domains-https/

☝️ this is good news from Github. Any chance to enable it for rubyonrails.org? Thanks!

from homepage.

Once your updated DNS records have propagated, and you’ve confirmed that your site loads correctly over HTTPS, you can optionally “Enforce HTTPS” for your domain in your repository’s settings, ensuring users who request your site over HTTP are upgraded to HTTPS.

from homepage.